i4b business logo

EnquiryENQUIRIES

+44 (0) 1252 367400

COVID-19 UPDATE: We are fully operational. Our platform has been built to scale with demand. 24/7 access continues with full support as standard.
Tim Stevens
Wednesday, May 13, 2020

GDPR 2 Years on: How will Brexit affect it?

GDPR Compliant

In May 2018, the way businesses handle and process personal and sensitive data was overhauled with new Europe-wide General Data Protection Regulation (GDPR) rules. And the continent now has the world’s strictest data protection laws.

In the UK, the Information Commissioner’s Office (ICO), which can conduct criminal investigations and issue fines, enforces GDPR.

UPDATED: In April 2020, the UK data regulator the ICO said it would adopt a ‘lighter touch’ to investigations and fines in view of the Covid-19 crisis. Organisations found to have breached the rules may be given more time to put things right if they can prove they’ve been affected by the pandemic.

What is it?

The GDPR modernised outdated laws while protecting individuals’ personal information, giving them more control over it and harmonising data privacy law across Europe.

A new fines regime of up to €20m (£18m) for the most serious breaches, or 4% of global turnover if greater, replaced the previous maximum penalty of £500,000.

Under the GDPR, companies with 250 or more employees must:

Document why they’re collecting and processing people’s information

Describe what’s being kept and how long for

Outline the technical security measures in place

Delete information when it’s no longer needed for the purpose it was gathered for

In some situations, businesses must obtain consent before processing data, and there must be a ‘positive opt-in’. Equally, under a Subject Access Request (SAR), an individual can ask to see their data, free of charge.

Have any companies been fined so far?

Yes. British Airways and the Marriott hotel chain were among the first.

Marriott was slapped with a proposed fine of nearly £100m, following a hack of records of millions of guests. BA received a notice of a fine of £183m, 1.5% of its global annual turnover, following a similar hack. These fines were imposed in summer 2019.

In both cases appeals are ongoing. In April 2020, it was reported that, following one initial extension, the fines had again been deferred pending further investigations. If they are levied, they’ll be by far the biggest fines issued to date under the GDPR.

Of the 206,326 cases reported under the GDPR across the European Economic Area’s (EEA’s) 31 countries, national data protection agencies have resolved just 52% of them. Among other fines to have been issued is a €50m penalty for Google from French regulator CNIL in early 2019.

In April 2020, the UK data regulator the ICO said it would adopt a ‘lighter touch’ to investigations and fines in view of the Covid-19 crisis. Organisations found to have breached the rules may be given more time to put things right if they can prove they’ve been affected by the pandemic.

But no non-compliant organisation can afford complacency. Data protection processes require regular review, so that all measures are in place to minimise threats to security.

One survey from July 2019 revealed that almost a third of European businesses are still not fully GDPR-compliant. Yet general awareness of data protection is rising, thanks to increasingly publicised breaches. And the potential reputational damage is as problematic as the financial penalties.

What happens after Brexit?

Passed in 2018, the UK’s Data Protection Act incorporates most of the provisions of the GDPR. So businesses should not have to change policies once the transition period ends in late 2020. Ultimately, few changes are expected to the principles already in place – after all, the UK played a big part in the GDPR’s development.

However, if you move data between the UK and the European Economic Area, there could be changes, depending on how the UK leaves the EU, particularly in a ‘no deal’ situation.

If that happens, organisations will need to work with their counterparts overseas to assess whether alternative legal arrangements are needed.

The GDPR limits movement of personal data to non-EEA nations. If personal data is transferred to ‘third countries’, which is what Britain would become under no deal, it must be protected by appropriate safeguards. So the government would need to take steps to allow the free flow of personal data to the EEA.

Two Years on

May 2020 marks two years of the GDPR, and views on its success have been divided. Some say there have been real benefits to both businesses and consumers in terms of being able to access and monitor how data is being used, and the right to request deletion.

But a study from web browser ‘Brave’ describes the GDPR as ‘toothless’ and that national regulators have inadequate resources while enforcement has not been strong enough. In some cases, funding has been cut since the GDPR came into force.

What we do

At i-4business, our technology company prospect data is GDPR-compliant, and we supply only permissioned information.

We offer a free trial and access to our specialist EMEA database so that you can evaluate our service for yourself. You can look forward to unlimited access and a transparent view of our systems 14 days.

To book your free trial, please get in touch with one of the i-4business team today.

Editor's Note: This post was originally published in November 2019 but has been updated to better reflect the changed B2B market as a result of the Covid-19 Pandemic.